Top-5 Tips for BYOD

Time to start introducing some of the experts within Airheads Social. You hear from them everyday but it is always good to put a face on the forum posts :)

One of Airheads Social moderators, Cameron Esdaile aka. -cam-, shares his top-5 tips for BYOD in the video below. I was able to capture his suggestions for IT engineers when it comes to ensuring network security, achieving ease deployment and perhaps most important of all lowering operation and support costs.

To hear more about BYOD and what it means for your network, join us at Airheads Social for a live video event on the topic. Video will be streamed on Airheads Social homepage on February 21st 10am PST. You can register at: http://www.arubanetworks.com/register/BYOD/index.html

FIrst, he suggests that IT organizations define a BYOD policy. What does a BYOD policy look like? Sounds scary, but it really does not have to be. It all starts with noting down the types of users your organization has to provide network access to: contractors, guests, temporary workers, employees, C-level execs, IT staff, etc. These folks have to access certain applications to get their job done on a day-to-day basis. The next piece of the puzzle is who can access what and when and from where. Finally, you define access policies per device type. Certain groups of users will be allowed to use certain types of mobile devices and operating systems to get access to certain type of applications while some won't. There you go, you just started putting together your BYOD policy.

His next recommendation is to use a device aware network. If the network does not know the device you are using when accessing these applications, it would be impossible to successfully implement a BYOD policy. Relying on an authentication system or intelligent fingerprinting techniques within the infrastructure or both are the available methods today.

Enforcing access control rules comes next - preferably with a stateful firewall infrastructure and an easy to manage content filtering system in place. Security enforcement needs to be simple to integrate with the existing network to say the least. For instance, if the only way to enforce policies on mobile devices is through the use of different VLANs for each device type, that surely is not a scalable solution... given the types of mobile devices out there.

Next is reducing costs. Who does not want that right? At the end of the day, all mobile devices need to connect to the network using a secure authentication method, preferably using certificate based authentication with 802.1x EAP-TLS. The problem is, this means 15-20 minutes of manual labor per device - unless there is a way to automate provisioning of authentication credentials on mobile devices. Hence Cam is highly recommending to have a auto-provisioning system in place as part of any BYOD initiative.

Finally, it is about physical security. What to do when your mobile device - with all the corporate email and data stored on it - is stolen or lost? This is one of the main reasons why Mobile Device Management (MDM) becomes important - it is not only about the access control but sometimes about the device and what's stored inside. Revoking access to the device obviously is the immediate solution here but needs to be performed with care. Removal of privileges should not be performed for the user ID but rather on a per device basis. You would not want to disable network access for an employee's laptop, just because he forgot his mobile phone on a restaurant table last night ;)

That's for now. Please join -cam- and others at our BYOD forum and continue the conversation.